Organizations are constantly exposed to cyber-attacks. Some of those that have been cyber-attacked hire a cybersecurity firm to investigate and trace the hackers’ tracks, and may also go the extra mile and hack-into the hackers’ computer systems in order to mitigate the damage, uncover more information about the hackers’ methods, disable their infrastructure and better assess the scope and nature of the information they managed to leak. But is hacking into the hackers’ computer systems legally permissible under Israeli law?
If you think this scenario is far-fetched, think again:
- Check Point, a leading IT security provider, recently disclosed that as part of its investigation into cyberattacks by a group dubbed “Rocket Kitten”, Check Point had gained unfettered access to the group’s systems by exploiting their lack of security measures.
- In early 2013, itrust consulting, a Luxembourger company specializing in IT security, disclosed that it hacked into command and control servers used by a hacking group reportedly sponsored by the Chinese government, by exploiting vulnerabilities in those servers.
Command and Control
Hackers often surreptitiously use the computers of unsuspecting third parties as command & control servers for their hacking campaigns, as storage space for leaked data, or as machines from which attacks are launched. Counteroffensives could therefore end-up causing collateral damage to third parties, while only marginally impacting the hackers. Such innocent third parties might press charges, putting an abrupt end to the notion that an ‘attack against an attacker’ is insulated from liability.
In Israel, unauthorized access to computers is primarily governed by the Israeli Computers Law and to some extent also by the Israeli Protection of Privacy Law. The Israeli Computers Law criminalizes the “unlawful penetration to computer material located in a computer”.
The Israeli Supreme Court recently held that the term “unlawful penetration” is to be interpreted very broadly to mean any use of computer without the owner’s consent. The Court explicitly rejected the notion that the term should be interpreted to cover only instances of penetration to computers where technical access barriers are circumvented. The court favored the broad interpretation due to “… the incredible potential for damage emanating from computer crime”, and noted that concerns for overreaching criminalization of negligible acts would be resolved by having prosecutors and courts use the de minimis exception to criminal liability. But this in no way suggests that Israeli courts are likely to determine that “hacking a hacker” falls under the de minimis exception.
Resorting to offensive action as a countermeasure to right some wrongdoing is akin to “self-help” in law. Applied to criminal law, “self-help” takes the form of exculpations – rules of law that justify or excuse conduct that would otherwise be criminally punishable. An interesting question is therefore whether “hacking a hacker” can be criminally excused or justified under exculpations such as “self-defense”. Although there is no Israeli case-law precisely on point, we believe that these exculpations would be inapplicable.
For instance, under Israeli law, the self-defense exculpation is conditioned on the existence of an immediate need to fend-off an attack that poses imminent threat to one’s freedom, life, body or property, and it is subject to the use of proportional measures.
Proportionality in Israeli law is a three-part test. First, the counteroffensive must be a suitable measure to fend-off the hacker’s cyberattack. Next, the counteroffensive must be the least harmful measure needed to fend-off the cyberattack. Finally, the benefit arising from fending off the attack should be commensurate with the harm caused by utilizing the counteroffensive measures. Under these criteria, it is difficult to see how hacking a hacker would be deemed a proportional measure to fend-off an attack.
Admittedly, another key factor in the picture is the extent and degree to which prosecutors would pursue criminal charges for counteroffensives against hackers. But that largely hinges on prosecutorial policy that is yet to be formulated and made public.
Under Israeli law, the practice of engaging in counteroffensives against hackers entails legal risks that should not be overlooked. Even if the likelihood of criminal charges is not high, it cannot be outright ruled out, especially if the counteroffensives cause collateral damage to third parties.